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Abstract: 

- 

In this paper <we show how a distributed system with synchronous processors 
and asynchronous message delays can be simulated by a system with both asyn¬ 
chronous processors and asynchronous message delays in the presence of various 
types of processor faults. Consequently, the result of Fischer, Lynch and Paterson 
(1985), that no consensus protocol for asynchronous processors and communication 
can tolerate one failstop fault, implies a result of Dolev, Dwork and Stockmeyer 
(1987), that no consensus protocol for synchronous processors and asynchronous 
communication can tolerate one failstop fault. 
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1. Introduction 


In this paper we show how a distributed system with synchronous processors 
and asynchronous message delays can be simulated by a system in which both 
processors and messages are asynchronous, in the presence of various types of pro¬ 
cessor failures. One application of this result is that now a result of Dolev, Dwork 
and Stockmeyer (1987), that no fault-tolerant consensus protocol is possible in a 
distributed system with asynchronous communication even if processors are syn¬ 
chronous, follows easily from the result of Fischer, Lynch and Paterson (1985), that 
no fault-tolerant consensus protocol is possible when communication and processors 
are asynchronous. 

The equivalence of a system with synchronous processors and asynchronous 
communication to one in which both processors and communication are asyn¬ 
chronous has been a folk theorem in distributed computing circles for some time. 
One of the contributions of this paper is to present a careful statement and proof 
of this result, using a variant of Lamport clocks (Lamport, 1978). We have made 
precise a notion of simulation particularly suited to showing impossibility results. 
The novel feature of this paper is applying the simulation result to obtain an easy 
proof of the impossibility of fault-tolerant consensus for synchronous processors and 
asynchronous communication. 

The sense in which we show that the two systems are equivalent is that no 
processor can tell if it is in one system or the other. Of course, an outside observer 
can tell the difference. For instance, if all the processors are to perform some action 
at their tenth step, the effect could be quite different with synchronous processors 
(where the actions would happen at the same real time) than with asynchronous 
processors (where the actions do not necessarily happen at the same real time). 
Thus, the notion of simulation that we define preserves local views, but not global 
views. 

We observe that the only situation visible to a processor in the system with 
asynchronous processors that cannot happen in the system with synchronous pro¬ 
cessors is for the processor to receive a message at its i 1h step that was sent at 
the sender’s j th step, where j > i. To avoid this anomalous situation, our simula¬ 
tion tags all messages with the sender s current ^i,cp number; then processors save 
messages that arrive too early, and wait to process them until they are no longer 
early. (Compare Lamport clocks, which cause the local clock, or step counter, to 
skip ahead when a message with too large a timestamp arrives.) 
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Neiger and Toueg (1986) have independently developed the same simulation 
technique. However, they do not consider faults, and they apply the simulation 
to different problems, namely, determining when one can substitute these modified 
Lamport clocks for real time clocks while maintaining correctness, and determining 
when a variant of common knowledge, achieved with the help of this simulation, can 
be substituted for the standard notion of common knowledge. Their paper formally 
characterizes types of behavior that can be preserved by this simulation. 

Our formal model is presented in Section 2. In Section 3 we show how to do the 
simulation for Byzantine processor faults. Simplifications for weaker fault models 
are presented in Section 4. Finally, Section 5 demonstrates that the result of Dolev, 

Dwork and Stockmeyer (1987) follows from that of Fischer, Lynch and Paterson 
(1985). 

2. Model 

We model a general distributed system in which processors communicate by 
sending messages. Conceptually, there is a global clock that measures time in 
integer ticks. At each tick, some processors take steps, in which they can atomically 
receive messages, change state and send messages. A message buffer holds messages 
between the sending and receiving times. A protocol determines for each processor 
the state changes and messages sent, given the old state and messages received. 

A run of the protocol specifies at each tick which processors take steps and which 
messages are received. Various kinds of faulty processor behaviors are introduced 
next. After formally defining what a system is in this general model, we define the 
type of simulation we are concerned with. 

2.1 Basic Model 

Messages are assumed to be unique and are tagged with both the sender’s and 
recipient’s names by the message system. The message buffer holds messages that — y 
have been sent but not yet received. It is modeled as a set of messages. A processor 
is a deterministic state machine with a set of states, and a transition function that a 
uses the current state and messages received to compute the new state and messages : ' cd 

to be sent (at most one message to each processor). Certain states are designated - 

initial states. A protocol is a set of n processors. In our terminology, a processor is __ 

more than just bare hardware — it includes the local algorithm for changing state 
and sending messages. A protocol is the collection of all the local algorithms. 11 ' 
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A step of processor p is designated either a, indicating that p does some com¬ 
putation, or A, indicating that p does nothing. An a step is an active step. A 
processor history for processor p, H p , consists of an infinite sequence d l s l d 2 s 2 ... of 
states of p alternating with steps s, of p such that d\ is an initial state, and if 
S{ = A, then d{ = di+i. The i th state of H p is denoted state(H p , i), and the i th step 
step(H p ,i). Given processor history H p and integer i, define active(H p , i) to be the 
number of active steps in H p up to and including the i ih step. A message buffer 
history Hb is an infinite sequence MiM 2 ..., where each M, is a set of messages 
and M\ = 0, such that if message m is in Mi and not in M,+i, then m is not in M } 
for any j > i. The i th element of Hp is denoted by msgs(Hp, ?)■ 

A run R of protocol P consists of n processor histories H p , one for each pro¬ 
cessor p in P, and a message buffer history Hb such that the following are true. 
Suppose message m has sender p and recipient q, and i is the smallest integer such 
that m is in msgs(H g,i)- (1) Then step(H p ,i — 1) is active. We say m is sent 
by p at step i — 1. (2) Furthermore, if j is the greatest integer such that m is in 
msgs(HB,j), then step(H q ,j) is active. We say m is received by q at step j. 

Given a processor history H p , define statcs{H p ) to be the (finite or infinite) 
sequence of states did 2 ..where d\ = state(H p , 1) and d, + i is the state following 
the i ih active step in H p . (The do-nothing steps have been eliminated and the 
state transitions isolated.) For a run R = (Hb, {H p } p zp), define states(R) to be 
{states(H p )} p( =p. 

Various types of processor faults are now considered, classified by their observ¬ 
able effects. Suppose processor p has processor history H p = d\ d 2 s 2 ... in run R. 
Fix i and let M be the set of messages received by p at step s*, and let M' be the 
set of messages sent by p at step s,. Processor p operates correctly at step $ t , if </,+1 
is the result of p’s transition function applied to <7, and A/, and if M' is exactly the 
set of messages returned by p’s transition function applied to d, and M. Processor 
p exhibits an omission failure upon sending at .•>, if d,- +I is the result of p’s transition 
function applied to di and a subset S of M. and M' is a strict subset of the set 
of messages returned by p’s transition function applied to d, and 5. Processor p 
exhibits an omission failure upon receiving at s, if p does not operate correctly at 
Si, but p’s transition function applied to d, and a strict subset of M produces d t+) 
and a set of messages of which M' is a subset . A message not used by the transition 
function, or not placed in the message buffer is omitted. (Note that these definitions 
allow a processor to exhibit an omission failure upon both sending and receiving at 
the same step.) Processor p exhibits a Byzantine failure at s, if d, + j and M' cannot 






be described as the result of p’s operating correctly, or p's exhibiting an omission 
failure upon sending or receiving. 

Processor p is nonfaulty in run f? if it takes an infinite number of active steps 
and operates correctly at each one; otherwise p is faulty. Faulty processor p is 
failstop-faulty in run R if it takes only a finite number of active steps and operates 
correctly at each one. Faulty processor p is omission-faulty in run R if p is not 
failstop-faulty, and at each active step p either operates correctly or exhibits an 
omission failure upon sending or receiving. Faulty processor p is Byzantine-faulty 
in run R if p is not failstop-faulty or omission-faulty, and at each active step p 
operates correctly, exhibits an omission failure, or exhibits a Byzantine failure. 

The next definition concerns communication faults. A message m sent in an 
infinite run is lost if the recipient takes infinitely many active steps but never receives 

771 . 

2.2 Systems 

We are interested in restricting the allowable runs (of any protocol) in different 
ways. Fix a protocol P. Let runs(P) be the set of all runs of P. Define the universe 
of all runs, U , to be |J aiJ p runs(P). A system is a subset of U. The system U can be 
characterized as having unreliable, asynchronous communication, since it includes 
runs in which messages are lost and runs in which messages remain in the buffer 
for arbitrarily long periods of time. Similarly, U has asynchronous processors, since 
there is no restriction on the number of A steps between consecutive active steps in 
a processor history. There is also no restriction on the number or types of processor 
faults exhibited, when all the runs of U are considered. 

The following systems are used as building blocks in this paper. 

• System SP : the set of all runs such that if a processor takes a A step, then all 
subsequent steps of that processor are A steps. This system has synchronous 
processors. The processors can know the global clock value, because it is the 
same as the number of active steps they have taken. 

• System RC: the set of all runs such that no messages are lost. This system has 
asynchronous, but reliable, communication. 

We can restrict the number and type of faults to be considered by defining: 

• System FS(t): the set of all runs such that at. most t processors are failstop- 
faulty, and the rest are nonfaulty. 







• System OM(t): the set of all runs such that at most t processors axe omission- 

faulty or failstop-faulty, and the rest, are nonfaulty. 

• System BZ(t): the set of all runs such that at most t processors axe Byzantine- 

faulty, omission-faulty or failstop-faulty, and the rest are nonfaulty. 

2.3 Simulations 

A simulation function f p i for processors p' and p is a function from states of p' 
to states of p. Extend f p > to map sequences of states of p' to sequences of states of 
p by defining f p >(did 2 ...) = f P '(di)f p >(d 2 ).. •• 

Run R' = {Hg>, {H P '} P '£P') of protocol P' simulates run R — (Hg , {H p } P £p) 
of protocol P via set F = {f p > : p' £ P'} of simulation functions, if there exists a 
one-to-one correspondence c between processors of P' and processors of P with the 
following properties. Fix p' in P', and let p = c(p'). (1) The simulation function 
f p < for p' and p satisfies f p '(states(H p ')) = states(H p ). (2) If p' is nonfaulty in P\ 
then p is nonfaulty in R. We say processor p' simulates processor p for runs R and 
R! via f p > . (The simulation function f p > does not necessarily cause p' to simulate p 
for other pairs of runs.) 

Protocol P' in system A' simulates protocol P in system A if there exists a set 
F of simulation functions such that (1) for every run R! of P' in system A’, there 
exists a run R of P in system A such that R! simulates R via F, and (2) for every 
run R of P in system A , there is a run R' of P' in system A' such that R' simulates 
R via F. We call P' a simulation protocol for P relative to A' and A. 

System A' simulates system A if. for any protocol P, there exists a protocol P' 
such that protocol P' in system A' simulates protocol P in system A. 

This definition of simulation is very strong, since the correspondence between 
runs of the simulation protocol and runs of the original protocol must be onto. How¬ 
ever, for showing lower bounds or impossibility results, this strength is good, and 
in fact is necessary for the application in Section 5. A more appropriate definition 
for upper bounds would not require the correspondence to be onto, but would need 
some condition on the responses of the simulation protocol to various inputs of the 
original protocol, in order to rule out trivial solutions. As discussed in the intro¬ 
duction, this definition of simulation concentrates on the sequences of individual 
processors’ state transitions, and is not concerned with global behavior that is only 
detectable by an observer outside the system. 








3. Simulating Synchronous Processors with Byzantine Faults 


Our goal is to show that if the communication system is asynchronous, then 
synchronous processors “don’t help” — i.e., a system with asynchronous processors 
and asynchronous communication can simulate (the state transitions of) a system 
with synchronous processors and asynchronous communication, even if there is any 
number of Byzantine-faulty processors. The main idea of the simulation is for each 
asynchronous processor to keep track of how many active steps it has taken and 
append this number on each message (of the synchronous protocol) sent. The only 
situation visible to the processors in the asynchronous case that cannot occur in the 
synchronous case is for a processor at its i th active step to receive a message that 
was sent at the sender’s j th active step, where j > i. To avoid this anomaly, such 
“early” messages are simply saved up until the recipient has passed its j th active 
step, and then they are used in the simulation. 

Although the model of computation presented in this paper gives processors the 
ability to receive and send messages in the same atomic step, and to send messages to 
all the processors at one step, this power is not necessary for the simulation to work. 
If the model is weakened so that processors can send at most one message at a step, 
or can only send or receive at a step, but not both, (as studied by Dolev, Dwork and 
Stockmeyer (1987)), the same simulation will show that asynchronous processors 
can simulate synchronous processors when communication is asynchronous. 

Subsection 3.1 describes the simulation protocol for a given synchronous pro¬ 
tocol in more detail. In Subsection 3.2, we show how to map a run of the simulation 
protocol to a run of the simulated protocol. The proof of the main result is presented 
in Subsection 3.3. 

3.1 Simulation Protocol 

Fix t between 1 and n. Let system Sl(t) be the intersection of systems 
BZ(t) and RC and SP. This is the system with at most t Byzantine-faulty pro¬ 
cessors, reliable asynchronous communication and synchronous processors. Let sys¬ 
tem Al(t) be the intersection of systems BZ(£) and RC. This is the system with 
at most t Byzantine-faulty processors, reliable asynchronous communication and 
asynchronous processors. 

Fix a protocol P. We define a simulation protocol P' for P relative to A1 (/) 
and Sl(t) as follows. Each processor p' in P' is assigned a processor p in P to 
simulate; it knows the states and transition function for p as well as the processor 
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correspondence c. Each state d of p' hits a component d.sim . It also has components 
d.early , which is a set of messages (to be described below), and d.counter , which 
tells the sequence number of the next active step p' will take. Every message m 
that p' sends in the step following state d has the value of d.counter appended to 
it, in a tag called m.tag. Each processor also keeps the necessary information to 
decide if message m from p' is the first message from p' with the tag value m.tag. 
(More than one such message is only sent if p' is Byzantine-faulty.) 

We first describe the states of p'. An initial state d of p' has d.sim equal to 
an initial state of p, d.early = 0 and d.countcr = 1. There is one initial state of p' 
for each initial state of p. Non-initial states are obtained by starting from an initial 
state and applying p 1 's transition function (some number of times). 

We now describe p 1 's transition function. Suppose that p 1 is in state d and 
receives the set of messages M. Let E be the set of all messages m in M U d.early 
such that m is the first message received from the sender with the tag value m.tag. 
Let M' be the set of all messages m in E such that m.tag < d.countcr. Then p' 
calculates the result of the transition function for p applied to d.sim and M' (after 
removing the tag components of the messages and applying c to the sender’s name). 
Call the results the state d" and the message set M". Let d! be the new state of p'; 
d'.sim is set equal to d ", d!.early is set equal to E — M', and d'.counter is set equal 
to d.counter -f- 1. The messages sent are those in M", each tagged with d.counter. 

3.2 Constructing Corresponding Runs 

Pick a run R! = (Hg>, {H p > } p >gp<) of P' in system Al(f). We describe a 
particular run R of protocol P corresponding to R'. ,'In the next subsection we 
show that R is in Sl(<).) 

We define the message buffer history Hu. Suppose processor p', at its a th 
active step, sends message m' with tag b to processor q'. (As will be discussed in 
Section 4, if p' is not Byzantine-faulty, then a = b.) Let. m be the message obtained 
from m' by deleting the tag and changing the sender to p and the recipient to q. If 
b is anything other than a positive integer (for instance, missing) or if in' is not the 
first message received by q' from p' with tag b , then nothing corresponding to m' is 
present in Hg. Otherwise, let i = min(a + l.b + 1). (The goal is for m to be sent 
in R either at the same active step when p' actually sends m', or when p 1 claims, 
via the tag, to have sent it, whichever is earlier.) Suppose q' receives m' at its I th 
active step. Let j = max(6 + 1, /). If m' is never received in H q >, or if q' takes fewer 
than j active steps, then m is in msgs(Hg, k) precisely for all k > i. Otherwise m 

















is in msgs(Hg,k ) precisely for i < k < j. No other messages are present. Clearly 
Hb is a message history. 

We define inductively the processor history H p = </ ] Sjd 2 > s 2 - • • for processor p 
in P, which is simulated by processor p' in P'. Let H p > — cl\s\d^s^ ... For the 
basis, d] = d\ .sim. Suppose the processor history up to d, has been defined. If 
there are fewer than i active steps in H p <, then Si - A and dj +1 = dj. Otherwise, 
S{ = o, and d 1+1 = d'ysim, where d^ is the state following the i th active step in 
Hp>. Clearly, the sequence H p is a processor history for p in P. 

Lemma 1: R= {Hq, {H v } p ep). as defined above, is a run of protocol P. 

Proof: We already know that the H p 's are processor histories for P. We must 
show that the message buffer behaves properly. Suppose message m has sender p 
and recipient q, and i is the smallest integer such that m is in msgs(H s,«). (1) 
By construction of R , there exists a such that m' (m with tag b ) is sent at p'’s 
a th active step, and i — 1 = min(a, b). Thus p' takes at least i — 1 active steps, 
so step(H p ,i — 1) is active. (2) Suppose m is received in R. Let j be the greatest 
integer such that m is in msgs(Hs,j)- By construction of R, there exists / such 
that m is received at q n s I th active step, j = ma x(b + 1, /), and q' takes at least j 
active steps. Thus, step(H q ,j) is active. □ 

3.3 Results 

This subsection contains the proof that the simulation protocol actually works. 
For the remainder of this section, fix a run R' of P' in Al(<), and construct run R 
from R' as above. Recall that processor p' in P' simulates processor p in P for runs 
R' and R. 

Lemma 2: Processor p' takes an infinite number of active steps in R' if and only 
if p takes an infinite number of active steps in R. 

Proof: By construction of R. □ 

Nonfaulty, sending omission-faulty and failstop-faulty behaviors are preserved 
by the simulation. However, if a processor p' exhibits an omission failure upon 
receiving in R' and the message omitted is early, then p in R may exhibit a weaker 
form of faulty behavior (or perhaps be nonfaulty). Similarly, if a processor p' 
exhibits a Byzantine failure in R' and the Byzantine nature of the error only affects 
the tag on a message, then p in R may exhibit a weaker form of faulty behavior (or 
perhaps be nonfaulty). Lemmas 3 and 4 demonstrate these facts. 
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Lemma 3: If p' is not Byzantine-faulty and p' operates correctly at sttp(H p ',/), 
then p operates correctly at step(H p ,j), where j = active! H p >. >)■ 

Proof: Suppose at st< p( Up , /), j> applies /*' s I musil ion inMdion to (he ><i <>f 
messages M', and that p receives the set of messages M at step! H p ,j). The following 
argument shows that M' = M. We say that a message m 1 of R' and a message m of 
R correspond if the text is the same and the senders and recipients arc corresponding 
processors (with respect to the simulation). Message in is in M' if and only if there 
is some corresponding message in' such that in' is the first message received from 
the sender in Hp with tag value m' .tag, m'.tag is a positive integer, and in'.tag < j. 
These three conditions aie true if and only if rn is in M. 

By construction of R, state(H p ,j) = state{Hp,i).sirn. Since p' operates coi- 
rectly at step(H p > , / ). and it cipplies p’s transition function to statc(H„, j) and A/, 
and since state(H p ,j + 1) = state(Hp , / + 1 ).sim, p changes state correctly at 
step(H p ,j). 

Suppose p' sends the set of messages .V at stcp{H p ',i) and p sends the set 
of messages N at step(H p ,j). Since ;/ operates correctly, we can deduce that 
statc(H p > ,i).counter = j. all the tags of messages in N' are equal to j , there is at 
most one message sent to each processor, and no other messages from p’ have tag j 
(because p' is not Byzantine-faulty). Thus, if in' is in N\ then a corresponding m 
is in N, and if m is in N, then a corresponding in' is in N'. 

Thus, p sends the correct messages at step(H p ,j). □ 

Lemma 4: (a) If processor p is nonfaulty in R', then processor p is nonfaulty in 
R. 

(b) If processor p' is failstop-faulty in R'. then processor p is failstop-faulty in 
R. 

(c) If processor p' is omission-faulty in R'. then processor p is omission-faulty, 
failstop-faulty or nonfaulty in R. 

Proof: Parts (a) and (b) follow from Lemmas 2 and 3. 

(c) The hypothesis that p' is omission-faulty in R' i: equivalent to assuming 
that at each active step (of which there are cither a finite or infinite number), p' 
either operates correctly or exhibits an omission failure, and there is some active 
step at which p' exhibits an omission failure. 










iL jp, 




By Lemma 3, if p' operates correctly at step[H p >,i), then p operates correctly 
at step(H p ,j ), where j = active(H p <, i). 

Suppose p' exhibits an omission failure upon sending at step(H p ',i). Then by 
construction of R , p exhibits an omission failure upon sending at step(H p ,j), where 
j = active(H p ' ,i). 

Suppose p' exhibits an omission failure upon receiving at step{H p < ,i), and 
one of the messages omitted is m. Let a = active(H p ' ,i) and m.tag = b. If 
b < a, then by construction of f?, p exhibits an omission failure upon receiving 
at step(H p ,a ) (p 1 should have used m in the simulation when m was received). If 
b > a, then by construction of R, p could exhibit an omission failure upon receiving 
at step(H p ,b +1) (p' should have saved m and used it in the simulation when its 
counter reached 6+1). However, it might be the case that the presence or absence 
of message m is immaterial to p’s state change and set of messages sent, in which 
case p operates correctly at step(H p , b + 1). 

Thus, at each active step in f?, p either operates correctly, or exhibits an 
omission failure. The result follows. □ 

Lemma 5: R is in system Sl(t). 

Proof: R is in system SP since, by construction of R, once a processor takes a A 
step, all subsequent steps are A steps. 

Since R' is in system BZ(t), at least n — t processors are nonfaulty in R'. By 
Lemma 4, at least n — t processors are nonfaulty in R. Thus, R is in system BZ (t). 

Next we show that R is in system RC. Suppose message m is sent in R by 
processor p to processor q, and q takes infinitely many active steps. In R\ p' sends 
message m' (m with tag b for some positive integer b) to q' . Since R' is in system 
RC, and since by Lemma 2 q' takes infinitely many active steps, m' eventually 
arrives in f?\ say at q' s I th active step. Then m is received at step(H q ,j), where 
j = max(6 + 1, /). □ 

Theorem 6: System Al(t) simulates system Sl(t), for any value of t, 1 < t < n. 

Proof: Fix any protocol P. Let P' be the protocol defined above. We must show 
that protocol P' in system Al(f) simulates protocol P in system Sl(f). Lot the 
correspondence c between processors in P' and processors in P be that implicit in 
the construction of P' . Define a set F = {f p i : p' £ P'} of simulation functions as 
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follows. Fix p' in P' and lot. p = c(p'). Define simulation funotion f p < from states 
of p' to states of p to be fy {d') — d'.sim. 

The first direction is showing that for every run R' of P' in system Al(t), there 
exists a run R of P in system Sl(t) such that R' simulates R via F. Given a run R' 
of P' in system Al(i), let R be the run constructed as above. By Lemma 1, R is a 
run of P. By Lemma 5, R is in system Sl(t). Now we must show that R' simulates 
R via F. By construction of P, f p >(states(H p i)) = states(H p ). Furthermore, if p' 
is nonfaulty in R! , then p is nonfaulty in P, by Lemma 4. 

The second direction is showing that given a run P of P in Sl(f), there is 
a run R' of P' in system Al(t) such that. R! simulates P via F. The idea of the 
construction is to let processors in R' take the same steps at exactly the same ticks as 
do the processors they are simulating in P, and to let the message delays be exactly 
the same. The key is to observe that a run in which processors are synchronous is 
also in the system with asynchronous processors (be., Sl(t) is a subset of Al(t)). 
The following merely formalizes the idea and adds the appropriate tags to the 
messages. 

Let P = (Hb, {H p } P £p). Define a message buffer histoiy H b> as follows. 
Suppose message m from processor p to processor q is in msgs(HB^i) for some 
and let b be the smallest integer such that m is in msgs(H B,b). Then message m\ 
equal to m with tag b— 1, from processor p' to processor q', is in msgs(HB> , ?). No 
other messages are in msgs{HB', *)• 

Define processor history H p > = d\ s\ d' 2 Sj • • • as follows. Let d\ be the initial state 
of p' with sim component ecpial to *tatc(H v , 1). Suppose H p > has been defined up 
to d\. Then Si = step(H p ,i). If s* = A, then d’ l+1 = d’; otherwise let d' t+1 .sim — 
state(H p ,i + 1), d , i + l .cotintcr = d^.countcr + 1, and d' i+l .early = 0. This defines 
the states of H p >. 

It is straightforward to show that P' = (Hb<. {Hp'}p'€P') is a run of P' in 
system Al(t), and that R' simulates P via F. □ 

4. Simulating Synchronous Processors with Weaker Faults 

If the strongest type of processor fault allowed is omission, then the simulation 
and proofs can be slightly simplified. Fix t between 1 and n. Let system S2(t) be the 
intersection of systems 0M(#) and RC and SP. Let system A2 (t) be the intersection 
of systems OM(f) and RC, The same simulation as in Section 3 can be used, except 












it is no longer necessary to check if a message is the first one with that tag value. 
Since no Byzantine faults are considered, the message tag is always the correct active 
step count, so in constructing a run of the simulated protocol, variables a and b are 
always equal. Furthermore, Lemma 4 implies that each simulated processor has the 
same behavior (or better) as its simulating processor. 

Theorem 7s System A2(t) simulates system S2(t), for any value of t, 1 < t < n. 

The same simplifications apply if the only type of faults is failstop. Fix t 
between 1 and n. Let system S3(t) be the intersection of systems FS(t) and RC 
and SP. Let system A3 be the intersection of systems FS(t) and RC. 

Theorem 8: System A3(t) simulates system S3(t), for any value oft, 1 < t < n. 

5. Application 

An important result in the theoretical study of distributed systems is that 
no consensus protocol operating in a system with asynchronous processors and 
asyncnronous communication can be guaranteed to terminate, if it must tolerate 
even one failstop processor fault (Fischer, Lynch and Paterson, 1985). This result 
was subsequently extended (Dolev, Dwork and Stockmeyer, 1987) to show that 
no consensus protocol operating in a system with asynchronous communication, 
but with processors in lockstep synchrony, can be guaranteed to terminate, if it 
must tolerate even one failstop processor fault. The proof of Dolev, Dwork and 
Stockmeyer (1987) followed the spirit of the proof of Fischer, Lynch and Paterson 
(1985), but required additional machinery and a more involved argument. 

The result of Dolev, Dwork and Stockmeyer (1987) can be seen to be a corollary 
of the result of Fischer, Lynch and Paterson (1985), using Theorem 8 of this paper. 

Given a system S. a consensus protocol P for 5 is a protocol that satisfies the 
following. (1) Each processor’s set of non-initial states has two disjoint subsets, the 
0-final states and the 1-final states. Once a processor enters a e-final state, it is 
always in a v- final state. (2) There exists a run of P in S in which a processor 
enters a 0-final state, and there exists a run of P in S in which a processor enters a 
1-final state. (3) For every run of P in system 5, if some processor enters a e-final 
state, then no processor enters a u>-final state for w ^ v. (4) For every run of P in 
system 5, some processor enters a e-final state, for some e. 

The model of Fischer, Lynch and Paterson (1985) corresponds in our model to 
the system A3(l) obtained from the intersection of systems FS(1) and RC, ».e., the 







system with asynchronous processors, at most one of which is failstop-faulty, and 
reliable but asynchronous communication. 

Theorem 9s [Fischer, Lynch and Paterson, 1985, Theorem I] There is no consensus 
protocol for system A3(l). 

The model of Dolev, Dwork and Stockmeyer (1987) corresponds in our model 
to the system S3(l) obtained from the intersection of systems FS(1) and SP and 
RC, i.e., the system with lockstep-synchronous processors, at most one of which is 
failstop-faulty, and reliable but asynchronous communication. 

Theorem 10: [Dolev, Dwork and Stockmeyer, 1987, Theorem 10] There is no 
consensus protocol for system S3(l). 

We now show that Theorem 10 follows from Theorem 9 using the results of 
this paper. 

Theorem 11: If there is no consensus protocol for system A3(l), then there is no 
consensus protocol for system S3( 1). 

Proof: Suppose in contradiction that there is a consensus protocol P for system 
S3(l). By Theorem 8, system A3(l) simulates system S3(l). Thus, there exists a 
simulation protocol P' such that P' in system A3(l) simulates P in system S3(l). 
The protocol P' can be used to construct a consensus protocol for system A3( 1) 
simply by letting v-final states of P' be those states d such that d.sim is a e-final 
state of P. Since P is a consensus protocol for system S3( 1), there is a run i? 0 of 
P in system S3(l) in which some processor enters a 0-final state and another run 
R\ of P in system S3(l) in which some processor enters a 1-final state. Since P' in 
A3(l) simulates P in S3(l), there is a run R' 0 of P' in system A3(l) that simulates 
Ro, i.e., in which some processor enters a 0-final state, and another run R\ of P' in 
system A3(l) that simulates /?], i.e., in which some processor enters a 1-final state. 
Since P is a consensus protocol for S3(l). and since P is simulated by P' , there is 
no run of P' in system A3(l) with processors in conflicting final states, and some 
processor eventually enters a final state in every run in system A3(l). Thus there 
is a consensus protocol for system A3(l), contradicting the hypothesis. □ 
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